CLAIM AMENDMENTS 

1-52 (Cancelled) 

53. (Currently Amended) A method of managing network traffic 
being routed through a network connection device, the network 
connection device having a first set of operations, the network 
traffic being composed of at least first and second traffic flows, 
each traffic flow being composed of at least one data packet, and the 
method comprising: 

(a) instantiating a virtual machine on the network connection 
device, the virtual machine having a second set of operations, the 
second set of operations being a sub-set of the first set of 
operations, 

-far)- (b) receiving at least a rule program at the network 
connection device, the rule program including at least: 

(i) a first criterion at the network connection device for 
identifying the traffic flow to which a data packet belongs, 

-fb-) — receiving at least (ii) a second criterion at th e 
network connection device for classifying a traffic flow as 
belonging to one of at least first and second traffic flow 
classes, and 

-fe-} — receiving (iii) first and second instructions at the 
network connection device for processing a data packet, the first 
and second instructions being associated with the first and 
second flow classes respectively, 

(c) executing the rule program by the virtual machine to 
configure the network connection device, 

-feH — storing the first and second criteria and the first and 
second instructions on the network connection device, 
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-fe-f (d) receiving a first data packet that belongs to the first 
traffic flow at the network connection device, 

(e) using the first criterion to determine that the first 
data packet belongs to the first traffic flow, 

-f^f (f ) using the second criterion to determine the traffic flow 
class to which the first traffic flow belongs, and 

-fhf (g) processing the first data packet according to the 
instructions associated with the flow class to which the first traffic 
flow belongs . belongs, 

wherein steps (d) through (g) are managed by the virtual machine. 

54 (Canceled) 

55. (Currently Amended) The method of claim 53, wherein step -f£f 
(e) comprises comparing a first section of the first data packet to 
the first criterion to determine that the first data packet belongs to 
the first traffic flow, and step -f§4- (f ) comprises comparing a second 
section of the first data packet to the second criterion to determine 
the traffic flow class to which the first traffic flow belongs, ^he 
second ocction being non - cxcluoivc of the first section, wherein the 
second section may include at least part of the first section. 

56. (Currently Amended) The method of claim 53, further 
comprising the step of receiving supplemental data pertaining to the 
first traffic flow, wherein the supplemental data is received outside 
of the first traffic flow and step -fg-)- (f ) further comprises comparing 
the supplemental data to the second criterion to determine the class 
to which the first traffic flow belongs. 
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57. (Previously Presented) The method of claim 56, wherein the 
supplemental data comprises data concerning network access rights of a 
user of the network, a traffic flow belonging to a user having a first 
level of network access rights being classified as belonging to the 
first traffic flow class, and a traffic flow belonging to a user 
having a second level of network access rights being classified as 
belonging to the second traffic flow class. 

58. (Previously Presented) The method of claim 57, wherein the 
first and second instructions specify respective first and second 
bandwidth allocations. 

59. (Previously Presented) The method of claim 56, wherein the 
supplemental data comprises data concerning network access 
requirements of a network device and the first traffic flow originates 
at the network device. 

60. (Previously Presented) The method of claim 59, wherein the 
network access requirements of the network device are based on network 
access requirements of a client application executing on the network 
device . 

61. (Previously Presented) The method of claim 56, wherein the 
supplemental data comprises data concerning network traffic conditions 
at a network device and the first traffic flow originates at the 
network device. 
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62. (Previously Presented) The method of claim 56, wherein the 
supplemental data is received from a registry within which data 
pertaining to multiple network devices is stored. 

63. (Previously Presented) The method of claim 56, wherein the 
supplemental data identifies a work group to which a network device 
belongs and the first traffic flow originates at the network device. 

64. (Previously Presented) The method of claim 56, wherein the 
supplemental data identifies a physical characteristic of a network 
device belongs and the first traffic flow originates at the network 
device . 

65. (Previously Presented) The method of claim 56, wherein the 
supplemental data comprises data concerning network access 
requirements of a network device and the first traffic flow is being 
transmitted to the network device. 

66. (Previously Presented) The method of claim, 65 wherein the 
network access requirements of the network device are based on network 
access requirements of a client application executing on the network 
device . 

67. (Previously Presented) The method of claim 56, wherein the 
supplemental data comprises data concerning network traffic conditions 
at a network device and the first traffic flow is being transmitted to 
the network device. 
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68. (Previously Presented) The method of claim, 56 wherein the 
supplemental data identifies a work group to which a network device 
belongs and the first traffic flow is being transmitted to the network 
device . 

69. (Previously Presented) The method of claim 56, wherein the 
supplemental data identifies a physical characteristic of a network 
device belongs and the first traffic flow is being transmitted to the 
network device. 

70. (Previously Presented) The method of claim 56, wherein the 
supplemental data pertains to a context of receipt of a second data 
packet belonging to the first traffic flow at a network device. 

71. (Previously Presented) The method of claim 70, wherein the 
supplemental data includes a time of day at which the second data 
packet was received at the network device. 

72. (Previously Presented) The method of claim 53, wherein the 
first and second instructions pertain to any one of routing, switching 
or bridging the network traffic. 

73. (Previously Presented) The method of claim 53, wherein the 
first traffic flow originated at a network device and the method 
further comprises the step of communicating information regarding the 
first data packet to the network device. 
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74. (Previously Presented) The method of claim 53, wherein at 
least one of the first and second criteria and the first and second 
instructions are provided by a network administrator. 

75-76 Canceled 

77. (Currently Amended) A method of operating a network 
connection device, the network connection device having a first set of 
operations, a data ingress for receiving network traffic, a data 
egress for transmitting network traffic, and having at least a first 
criterion, — a occond criterion and first and second instructions stored 
therein, the first and second instructions being associated with 
respective first and second traffic flow classes, the network traffic 
being composed of at least first and second traffic flows, each 
traffic flow being composed of at least one data packet, and the 
method comprising: 

(a) instantiating a virtual machine on the network connection 
device, the virtual machine having a second set of operations, the 
second set of operations being a sub-set of the first set of 
operations, 

(b) receiving an executable rule program including at least: 

(i) a first criterion, 

(ii) a second criterion, and 

(iii) first and second instructions, the first and second 
instructions being associated with respective first and second 
traffic flow classes, 

4a-)- (c) receiving a first data packet that belongs to the first 
traffic flow at the ingress of the network connection device, 
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-ffe^- (d) using the first criterion to determine that the first 
data packet belongs to the first traffic flow, 

-fef (e) using the second criterion to determine a traffic flow 
class to which the first traffic flow belongs, 

44f (f ) processing the first data packet according to the 
instructions associated with the flow class to which the first traffic 
flow belongs, and 

-fef (g) transmitting the first data packet from the egress 
according to the instructions associated with the flow class to which 
the first traffic flow bclongo . belongs, 

wherein steps (c) through (g) are managed by the virtual machine 
utilizing the identified operations from the second set of operations. 

78. (Cancelled) 

79. (Currently Amended) The method of claim 77, wherein step -f&f 
(d) comprises comparing a first section of the first data packet to 
the first criterion to determine that the first data packet belongs to 
the first traffic flow, and step -fef (e) comprises comparing a second 
section of the first data packet to the second criterion to determine 
the traffic flow class to which the first traffic flow belongs, the 
second section being non-exclusive of the first section. 

80. (Currently Amended) The method of claim 77, further 
comprising the step of receiving supplemental data pertaining to the 
first traffic flow, wherein the supplemental data is received outside 
of the first traffic flow and step -fef (e) further comprises comparing 
the supplemental data to the second criterion to determine the class 
to which the first traffic flow belongs. 
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81. (Previously Presented) The method of claim 80, wherein the 
supplemental data comprises data concerning network access rights of a 
user of the network, a traffic flow belonging to a user having a first 
level of network access rights being classified as belonging to the 
first traffic flow class, and a traffic flow belonging to a user 
having a second level of network access rights being classified as 
belonging to the second traffic flow class. 

82. (Previously Presented) The method of claim 81, wherein the 
first and second instructions specify respective first and second 
bandwidth allocations. 

83. (Previously Presented) The method of claim 80, wherein the 
supplemental data comprises data concerning network access 
requirements of a network device and the first traffic flow originates 
at the network device. 

84. (Previously Presented) The method of claim 83 wherein the 
network access requirements of the network device are based on network 
access requirements of a client application executing on the network 
device . 

85. (Previously Presented) The method of claim 80, wherein the 
supplemental data comprises data concerning network traffic conditions 
at a network device and the first traffic flow originates at the 
network device. 
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86. (Previously Presented) The method of claim 80, wherein the 
supplemental data is received from a registry within which data 
pertaining to multiple network devices is stored. 

87. (Previously Presented) The method of claim 80, wherein the 
supplemental data identifies a work group to which a network device 
belongs and the first traffic flow originates at the network device. 

88. (Previously Presented) The method of claim 80, wherein the 
supplemental data identifies a physical characteristic of a network 
device belongs and the first traffic flow originates at the network 
device . 

89. (Previously Presented) The method of claim 80, wherein the 
supplemental data comprises data concerning network access 
requirements of a network device and the first traffic flow is being 
transmitted to the network device. 

90. (Previously Presented) The method of claim 89, wherein the 
network access requirements of the network device are based on network 
access requirements of a client application executing on the network 
device . 

91. (Previously Presented) The method of claim 80, wherein the 
supplemental data comprises data concerning network traffic conditions 
at a network device and the first traffic flow is being transmitted to 
the network device. 
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92. (Previously Presented) The method of claim 80, wherein the 
supplemental data identifies a work group to which a network device 
belongs and the first traffic flow is being transmitted to the network 
device . 

93. (Previously Presented) The method of claim 80, wherein the 
supplemental data identifies a physical characteristic of a network 
device belongs and the first traffic flow is being transmitted to the 
network device. 

94. (Previously Presented) The method of claim 80, wherein the 
supplemental data pertains to a context of receipt of a second data 
packet belonging to the first traffic flow at a network device. 

95. (Previously Presented) The method of claim 94, wherein the 
supplemental data includes a time of day at which the second data 
packet was received at the network device. 

96. (Previously Presented) The method of claim 77, wherein the 
first and second instructions pertain to any one of routing, switching 
or bridging the network traffic. 

97. (Previously Presented) The method of claim 77, wherein the 
first traffic flow originated at a network device and the method 
further comprises the step of communicating information regarding the 
first data packet to the network device. 
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98. (Previously Presented) The method of claim 77, wherein at 
least one of the first and second criteria and the first and second 
instructions are provided by a network administrator. 

99-100 (Cancelled) . 

101. (New) A method according to claim 53, wherein the rule 
program also identifies which operations from the second set of 
operations are to be used in carrying out the first and second 
instructions . 

102. (New) A method according to claim 77, wherein the rule 
program also identifies which operations from the second set of 
operations are to be used in carrying out the first and second 
instructions . 

103. (New) A method of managing network traffic being routed 
through a network connection device, the network connection device 
having a first set of operations, the network traffic being composed 
of at least first and second traffic flows, each traffic flow being 
composed of at least one data packet, and the method comprising: 

(a) instantiating a virtual machine on the network connection 
device, 

(b) receiving a rule program at the network connection device, 
the rule program including at least: 

(i) a first criterion for identifying the traffic flow to 
which a data packet belongs, 



12 



(ii) a second criterion for classifying a traffic flow as 
belonging to one of at least first and second traffic flow 
classes, and 

(iii) first and second instructions for processing a data 
packet, the first and second instructions being associated with 
the first and second flow classes respectively, 

(iv) a list of a second set of operations, 

(c) executing the rule program by the virtual machine to 
configure the network connection device, 

(d) receiving a first data packet that belongs to the first 
traffic flow at the network connection device, 

(e) using the first criterion to determine that the first data 
packet belongs to the first traffic flow, 

(f) using the second criterion to determine the traffic flow 
class to which the first traffic flow belongs, and 

(g) processing the first data packet according to the 
instructions associated with the flow class to which the first traffic 
flow belongs, 

wherein steps (d) through (g) are managed by the virtual machine 
utilizing only the operations in the second set of operations. 

104. (New) A method of operating a network connection device, the 
network connection device having a first set of operations, a data 
ingress for receiving network traffic, a data egress for transmitting 
network traffic, the network traffic being composed of at least first 
and second traffic flows, each traffic flow being composed of at least 
one data packet, and the method comprising: 

(a) instantiating a virtual machine on the network connection 
device, 
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(b) receiving an executable rule program including at least: 

(i) a first criterion, 

( ii) a second cr iter ion , 

(iii) first and second instructions, the first and second 
instructions being associated with respective first and second 
traffic flow classes, and 

(iv) a list of a second set of operations, 

(c) receiving a first data packet that belongs to the first 
traffic flow at the ingress of the network connection device, 

(d) using the first criterion to determine that the first data 
packet belongs to the first traffic flow, 

(e) using the second criterion to determine a traffic flow class 
to which the first traffic flow belongs, 

(f) processing the first data packet according to the 
instructions associated with the flow class to which the first traffic 
flow belongs, and 

(g) transmitting the first data packet from the egress according 
to the instructions associated with the flow class to which the first 
traffic flow belongs, 

wherein steps (c) through (g) are managed by the virtual machine 
utilizing only the operations in the second set of operations. 
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